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<mjoseph@dodig.osd.mil>,  or  Mr.  Sanford  W.  Tomlin  at  (757)  766-3265,  email 
<stomlin@dodig.osd.mil>.  See  Appendix  B  for  the  report  distribution.  The  audit  team 
members  are  listed  inside  the  back  cover. 

Robert  J.  Lieberman 
Assistant  Inspector  General 
for  Auditing 
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Report  No.  99-055  December  15, 1998 

(Project  No.  8LF-5013) 

Year  2000  Computing  Issues  Related  to  Health  Care  in  DoD 


Executive  Summary 


Introduction.  This  report  is  one  of  a  series  being  issued  by  the  Inspector  General,  DoD, 
in  accordance  with  an  informal  partnership  with  the  Chief  Information  Officer,  DoD,  to 
monitor  DoD  efforts  to  address  the  year  2000  computing  challenge.  For  a  complete 
listing  of  audit  projects,  see  the  year  2000  webpage  on  die  IGnet  at  http://www.ignet.gov. 

Audit  Objective.  The  audit  objective  was  to  determine  whether  planning  and 
management  are  adequate  to  ensure  that  mission-critical  health  systems  will  continue  to 
operate  properly  in  the  year  2000.  This  report  discusses  year  2000  issues  involving 
health  care  information  systems,  biomedical  devices,  and  facility  devices  (for  example, 
elevators;  heating,  ventilation,  and  air  conditioning  systems;  intrusion  detection  systems; 
and  sprinkler  systems).  This  report  presents  the  results  of  the  first  phase  of  this  project. 
The  second  phase  will  involve  followup  on  the  issues  and  recommendations  raised  in  this 
report,  as  well  as  an  expanded  evaluation  of  testing  and  contingency  plans. 

Audit  Results.  The  Assistant  Secretary  of  Defense  (Health  Affairs)  and  the  Military 
Departments  have  taken  many  positive  actions  to  identify  and  correct  year  2000  problems 
in  die  Military  Health  Systems  automated  information  systems,  biomedical  devices,  and 
facility  devices.  However,  further  Assistant  Secretary  of  Defense  (Health  Affairs)  action 
is  needed  in  reporting  slippage  in  completion  dates,  preparing  interface  agreements  and 
contingency  plans,  combining  year  2000  fixes  with  flmctionality  upgrades,  and 
incorporating  year  2000  requirements  into  contracts  for  automated  information  systems. 

In  addition,  die  Assistant  Secretary  and  the  Military  Departments  need  to  perform 
year  2000  testing  of  biomedical  devices,  where  possible,  and  stress  that  military  treatment 
facility  commanding  officers  coordinate  with  installation  commanders  to  ensure  that  the 
appropriate  priority  is  given  to  year  2000  fixes  for  critical  health  care  facility  devices. 
Such  actions  are  critical  to  ensure  that  full  DoD  health  care  and  medical  readiness 
capabilities  are  realized  in  the  year  2000  and  beyond.  The  audit  results  are  detailed  in 
Part  I. 

Summary  of  Recommendations.  We  recommend  that  the  Assistant  Secretary  of 
Defense  (Health  Affairs)  establish  procedures  to  promptly  report  slippage  in  completion 
dates;  prepare  interface  agreements  and  contingency  plans  in  accordance  with  the  DoD 
Year  2000  Management  Plan;  and  make  sure  slippage  does  not  occur  when  year  2000 
fixes  are  combined  with  system  upgrades.  We  also  recommend  that  the  Assistant 
Secretary  appropriately  test  to  mitigate  the  risks  for  products  obtained  recently  on 
contracts  and  delivery  orders  that  did  not  include  required  year  2000  clauses.  We  also 
recommend  that  the  Assistant  Secretary  perform  tests,  where  possible,  of  biomedical 
devices  for  year  2000  compliance,  and  issue  direction  to  the  Military  Department 
Surgeons  General  that  require  military  treatment  facility  commanders  to  coordinate  with 
installation  commanders  to  ensure  the  appropriate  priority  is  given  to  medical  facility 
devices  in  the  year  2000  compliance  process. 
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Management  Comments.  The  Principal  Deputy  Assistant  Secret^  of  Defense  (Health 
Affairs)  concurred  with  the  finding  and  recommendations.  The  Principal  Deputy  stated 
that  his  staff  worked  closely  with  She  audit  staff  to  initiate  corrective  actions  as  issues 
were  identified.  Procedures  were  established  to  ensure  project  managers  report  accurate 
schedule  and  management  information  by  adopting  an  enterprise- wide  project 
management  and  reporting  system.  Before  the  end  of  September,  99  percent  of  interface 
agreements  were  in  place  and  a  draft  Military  Health  System  contingency  and  continuity 
of  operations  planning  guide  was  published.  Copies  of  the  guide  have  been  provided  to 
the  Assistant  Secretary  of  Defense  (Command,  Control,  Commimications  and 
Intelligence)  and  other  agencies  for  their  use.  Actions  were  taken  to  accelerate  automated 
information  systems  timelines  to  meet  DoD  mandated  completion  dates.  Also,  all 
components  of  automated  information  systems  will  be  evaluated  for  year  2000 
compliance.  Delivery  orders  for  the  Defense  Medical  Information  System/Systems 
Integration,  Design,  Development,  Operations  and  Maintenance  Services  I  contract  will 
contain  the  required  year  2000  language.  The  Office  of  the  Assistant  Secretary  of 
Defense  (Health  Affairs)  is  working  with  the  American  Hospital  Association  and 
biomedical  equipment  manufacturers  to  outline  criteria  and  methods  to  evaluate 
manufacturers'  procedures  used  to  ensure  compliance.  Special  emphasis  has  been  placed 
on  ensuring  that  medical  treatment  facility  commanders  closely  coordinate  year  2000 
compliance  for  medical  facility  devices  vrith  installation  commanders.  See  Part  I  for  a 
summary  of  management  comments  and  Part  III  for  the  complete  text  of  the  comments. 

Audit  Response.  The  Principal  Deputy's  comments  were  fully  responsive  and  no 
additional  comments  are  required.  Throughout  the  audit  we  worked  closely  with  the  staff 
in  the  Office  of  the  Assistant  Secretary  of  Defense  (Health  Affairs),  which  aggressively 
searched  to  identify  year  2000  problems  and  solutions,  and  initiated  many  actions  to 
correct  the  issues.  We  will  evaluate  the  actions  taken  during  the  second  phase  of  this 
audit.  We  commend  the  staffs  proactive  and  aggressive  approach  to  resolving  year  2000 
issues. 
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Part  I  -  Audit  Results 


Audit  Background 


The  year  2000  (Y2K)  problem  is  the  term  most  often  used  to  describe  the 
potential  failure  of  information  technology  systems  to  process  or  perform  date- 
related  functions  before,  on,  or  after  the  turn  of  the  century.  The  Y2K  problem  is 
rooted  in  the  way  automated  information  systems  record  and  compute  dates.  For 
the  past  several  decades,  systems  have  typically  used  two  digits  to  represent  the 
year,  such  as  “98”  representing  1998,  to  conserve  electronic  data  storage  and 
reduce  operating  costs.  With  the  two-digit  format,  however,  Y2K  is 
indistinguishable  from  1900.  As  a  result  of  the  ambiguity,  computers  and 
associated  systems  and  application  programs  that  use  dates  to  cdculate,  compare, 
or  sort  could  generate  incorrect  results  when  working  with  years  after  1999. 
Calculation  of  dates  is  further  complicated  because  Ae  year  2000  is  a  leap  year, 
the  first  century  leap  year  since  1600.  The  computer  systems  and  applications 
must  recognize  February  29, 2000,  as  a  valid  date. 

Because  of  the  potential  failure  of  computers  to  run  or  function  throughout  the 
Government,  the  President  issued  an  Executive  Order  13073,  “Year  2000 
Conversion,”  February  4, 1998,  making  it  policy  that  Federal  agencies  ensure  that 
no  critical  Federal  program  experiences  disruption  because  of  the  Y2K  problem. 
The  order  requires  that  the  head  of  each  agency  ensure  that  efforts  to  address  the 
Y2K  problem  receive  the  highest  priority  attention  in  the  agency.  The  order  also 
listed  health  care  as  one  of  five  critical  areas  in  which  the  Federal  Government 
should  cooperate  with  the  private  sector. 

A  Secretary  of  Defense  memorandum,  “Year  2000  (Y2K)  Compliance,” 

August  7, 1998,  stated  that  DoD  is  making  insufficient  progress  in  its  effort  to 
solve  its  Y2K  computer  problem.  The  memorandum  directed  more  accountability 
and  reporting  requirements  at  the  highest  levels  within  DoD.  The  memorandum 
further  stated  that  if  Y2K  progress  is  still  lagging  in  November  and  December 
1998,  all  further  modifications  to  software,  except  those  needed  for  Y2K 
remediation,  will  be  prohibited  after  January  1,  1999. 

A  Deputy  Secretary  of  Defense  memorandum,  “  Year  2000  (Y2K)  Verification  of 
National  Security  Capabilities,”  August  24,  1998,  stated  that  each  Principal  Staff 
Assistant  of  the  Office  of  the  Secretary  of  Defense  must  verify  that  all  functions 
under  his  or  her  purview  will  continue  unaffected  by  Y2K  issues.  The 
memorandum  further  required  that  the  designated  Principal  Staff  Assistant 
provide  plans  for  Y2K-related  end-to-end  testing  of  each  process  within  five 
functional  areas,  including  health  care,  to  the  Deputy  Secretary  of  Defense  by 
November  1, 1998. 

DoD  Y2K  Management  Strategy.  In  his  role  as  the  DoD  Chief  Information 
Officer,  the  Assistant  Secretary  of  Defense  (Command,  Control, 

Communications,  and  Intelligence  (ASD  [C3I])  issued  version  1 .0  of  the  “  DoD 
Year  2000  Management  Plan”  in  April  1997.  Version  1.0  requires  DoD 
Components  to  implement  a  five-phase  (awareness,  assessment,  renovation, 
validation,  and  implementation)  Y2K  management  process.  Subsequently, 
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ASD(C3I)  issued  version  2.0  of  the  “DoD  Year  2000  Management  Plan,  For 
Signature  Draft”  (DoD  Management  Plan),  in  June  1998,  which  accelerates  the 
target  completion  dates  for  the  renovation,  validation,  and  implementation  phases. 
The  new  target  completion  date  for  implementation  of  mission-critical  systems  is 
December  31,  1998.  Both  versions  provide  the  overall  DoD  strategy  and 
guidance  for  inventorying,  prioritizing,  fixing,  and  retiring  systems  and  for 
monitoring  progress.  They  also  state  that  the  DoD  Chief  Information  Officer  has 
overall  responsibility  for  overseeing  the  DoD  solution  to  the  Y2K  problem. 

In  a  January  20, 1998,  memorandum  for  the  heads  of  executive  departments  and 
agencies,  the  Office  of  Management  and  Budget  (0!^)  established  a  new  target 
date  of  March  1999  for  implementing  corrective  actions  to  all  systems.  The  new 
target  completion  dates  for  the  renovation  and  validation  phases  are 
September  1998  and  January  1999,  respectively. 

Year  2000  Responsibilities  for  Health  Care  Systems.  Y2K  issues  in  DoD 
health  care  encompass  automated  information  systems  (AIS),  biomedical  devices, 
and  facility  devices.  The  Assistant  Secretary  of  Defense  (Health  Affairs) 
(ASD[HA])  is  responsible  for  providing  oversight  of  AIS  Y2K  compliance. 
Individual  AIS  project  managers,  many  from  the  Military  Departments,  have  the 
specific  responsibility  for  correcting  noncompliant  Y2K  AIS.  ASD(HA)  prepares 
and  provides  Ae  quarterly  Y2K  status  reports  to  ASD(C3I),  for  0MB,  on  AIS  and 
biomedical  devices.  The  Military  Departments  are  responsible  for  correcting 
potential  Y2K  problems  in  biomedic^  devices  and  facility  devices,  and  reporting 
the  Y2K  status  of  facility  devices  to  ASD(C3I).  The  following  sections  provide 
details  on  AIS  and  biomedical  and  facility  devices. 

AIS.  ASD(HA)  maintains  an  internal  database  of  all  AIS  being  tracked 
for  Y2K  compliance  purposes.  The  database  is  used  to  prepare  and  provide 
quarterly  reports  to  ASD(C3I)  and  internally  monitor  AIS  Y2K  stahK.  A 
comparison  of  information  in  the  internal  database  showed  that  significant 
slippage  has  occiured  in  the  dates  mission-critical  AIS  will  complete  the  final 
three  phases  of  the  DoD  Management  Plan.  Details  are  shown  in  Table  1. 


3 


Table  1.  Slippage  of  Dates  Mission-Critical  AIS  Will  Complete  Renovation, 
Validation,  and  Implementation  Phases 


Mission-Critical 

AIS 

Number  in 
Database  as  of 
March  18, 1998 

Number  in 
Database  as  ( 
July  28, 199: 

Total  mission-critical  AIS 

77 

65 

Number  of  AIS  not  completing 
renovation  phase  by  June  30, 

13 

20 

1998 

Number  of  AIS  not  completing 
validation  phase  by  October  3 1 , 
1998 

7 

9 

Number  of  AIS  not  completing 
implementation  phase  by 
December  31, 1998 

10 

15 

Table  1  shows  a  reduction  in  the  number  of  mission-critical  AIS  in  the  database 
from  March  18  to  July  28,  1998,  In  addition,  a  recent  action  to  categorize 
mission-critical  AIS  (discussed  in  finding)  should  result  in  a  further  reduction  in 
the  number  of  mission-critical  AIS  reported  to  ASD(C3I).  The  quarterly  reports 
to  ASD(C3I)  for  0MB  show  the  number  of  AIS  in  each  phase,  but  do  not  show 
the  projected  dates  for  completing  each  phase.  As  a  resvdt,  ASD(C3I)  may  not  be 
aware  of  the  projected  AIS  slippage  imtil  it  has  occurred.  The  report  to  ASD(C3I) 
for  the  quarter  ending  June  30, 1998,  showed  64  mission-critical  AIS.  The 
difference  between  the  64  mission-critical  AIS  reported  to  ASD(C3I)  and  the  65 
shown  in  the  above  schedule  occurred  because  the  mformation  was  taken  from  the 
database  on  different  dates.  The  report  showed  20  (3 1 , 1  percent)  of  the  64  AIS 
were  Y2K  compliant  and  all  had  completed  the  awareness  phase.  The  report  also 
showed  1  in  llie  assessment  phase,  13  in  the  renovation  phase,  9  in  the  validation 
phase,  12  in  the  implementation  phase,  and  9  to  be  decommissioned  by  December 
1999.  ASD(HA)  estimated  that  it  will  cost  about  $66.3  million  to  successfully 
complete  its  Y2K  program  for  mission-  and  nonmission-critical  AIS. 

Biomedical  Devices.  The  DoD  Management  Plan  reduced  the  five-ph^e 
management  strategy  to  three  phases  (inventory,  assessment,  and  implementation) 
for  biomedical  devices,  facility  devices,  and  other  embedded  chip  applications. 
Potenti^  Y2K  sensitivity  is  a  concern  related  to  the  embedded  cWps  in  any  device 
that  includes  a  microchip  or  microprocessor.  According  to  a  tri-service  process 
action  team  responsible  for  the  biomedical  device  area,  the  inventory  phase  for 
biomedical  devices  was  completed  by  March  31,  1998,  as  required.  The  process 
action  team  originally  estimated  that  the  assessment  phase  would  be  completed  by 
November  30, 1998,  as  required.  However,  during  a  July  22, 1998,  health 
functional  area  interface  assessment  workshop,  chaired  by  the  Special  Assistant  to 
the  ASD(C3I )  for  Y2K,  the  team  acknowledged  that  the  0MB  March  1999  time 
frame  for  completing  the  implementation  phase  for  noncompliant  biomedical 
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devices  will  not  be  met.  Because  of  the  need  to  use  equipment  scheduled  for 
replacement  or  repair  after  the  0MB  March  1999  deadline,  MTFs  are  expected  to 
request  waivers  to  the  deadline. 

Facility  Devices.  Facility  devices  are  the  basic  support  and  operational 
equipment  (for  example,  elevators;  heating,  ventilation,  and  air  conditioning 
systems;  intrusion  detection  systems;  and  sprinkler  systems)  used  in  the  hospital 
and  clinic  building  infrastructure.  The  Y2K  status  of  DoD  medical  facility 
devices  is  determined  and  reported  in  conjunction  with  the  host  installation 
through  the  Military  Department  chain  of  command.  As  a  result,  it  is  difficult  for 
DoD  management  to  determine  the  Y2K  status  of  a  specific  medical  facility. 
Version  1 .0  of  the  DoD  Year  2000  Management  Plan  did  not  adequately  address 
facility  issues,  such  as  embedded  chips.  The  first  DoD  Facility  Interface 
Assessment  Workshop  was  not  held  until  March  1 1,  1998.  As  a  result, 
inventories  of  medical  facility  devices  were  not  completed  by  March  31,  1998,  as 
required.  During  a  July  22,  1998,  briefing  to  ASD(C3I),  the  Air  Force  stated  that 
the  inventory  of  medical  facility  devices  was  complete,  the  Army  stated  that  the 
inventory  of  facility  devices  was  about  90  percent  complete,  and  the  Navy  did  not 
have  sufficient  information  to  estimate  the  percentage  of  inventories  that  had  been 
completed.  The  details  of  the  Military  Departments  strate^  for  expediting 
completion  of  the  inventory,  assessment,  and  implementation  phases  for  facility 
devices  are  discussed  in  the  finding. 


Audit  Objectives 

The  audit  objective  was  to  determine  whether  planning  and  management  are 
adequate  to  ensure  that  mission-critical  health  systems  will  continue  to  operate 
properly  in  Ae  year  2000.  Specifically,  the  audit  examined  DoD  management 
policy  and  guidance  relevant  to  health  care  AIS,  biomedical  devices,  and  facility 
devices.  See  Appendix  A  for  a  discussion  of  the  audit  scope  and  methodology  and 
for  a  summary  of  prior  coverage. 
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Status  of  the  DoD  Health  Care  Year  2000 
Program 

The  ASD(HA)  and  the  Military  Departments  have  taken  many  positive 
actions  to  identify  and  correct  Y2K  problems  in  the  Military  Health 
Systems  MS,  biomedical  devices,  and  facility  devices.  However,  in  the 
AIS  area,  additional  action  is  needed  to: 

•  promptly  report  slippage  of  renovation,  validation,  and 
implementation  completion  dates; 

•  properly  prepare  interface  agreements; 

•  properly  prepare  contingency  plans; 

•  avoid  lengthy  delays  in  Y2K  fixes  due  to  combining  Y2K  fixes 
with  functionality  upgrades;  and 

•  incorporate  Y2K  requirements  into  contracts. 

In  addition,  ASD(HA)  and  the  Military  Departments  need  to  perform  Y2K 
testing  of  biomedical  devices,  where  possible,  and  stress  the  need  for 
military  treatment  facility  (MTF)  commanding  officers  to  coordinate  with 
installation  commanders  to  ensure  appropriate  priority  is  given  to  Y2K 
fixes  for  critical  health  care  facility  devices.  Such  actions  are  criticed  to 
ensure  &at  full  DoD  health  care  and  medical  readiness  capabilities  are 
realized  in  Y2K  and  beyond. 


Actions  Taken  to  Address  the  Year  2000  Problems 

Categorization  of  Mission  Critical  AIS.  The  ASD(HA)  recognized  the 
importance  of  AIS  Y2K  compliance  early  and  established  a  Y2K  project  office 
May  1,  1997.  In  July  1998,  &e  OASD(HA)  began  categorizing  all  AIS  Aat  were 
previously  considered  mission  critical  into  three  categories  (mission  critical, 
mission  essential,  and  mission  support).  The  need  for  the  refined  categorization 
demonstrates  the  difficulty  ASD(HA)  has  experienced  in  isolating  those  systems 
that  are  critical  to  mission  performance.  The  intent  of  the  categorization  is  to 
establish  priorities  for  the  65  AIS  previously  identified  as  mission  critical  in  order 
to  focus  limited  funding  and  personnel  resources  on  the  most  critical  systems.  We 
commend  this  approach. 

The  AIS  that  were  previously  reported  as  mission  critical  include  direct  patient 
care  systems,  such  as  the  Composite  Health  Care  System  and  the  Defense  Blood 
Standard  System,  as  well  as  nonpatient  care  systems  like  the  Medical  Expense 
Performance  and  Reporting  System.  Although  &ose  systems  were  not  of  equal 
importance  in  delivering  healtib  care  and  maintaining  readiness,  they  were 
considered  equal  when  sharing  the  resources  available  for  fixing  Y2K  problems. 
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Categorization  is  a  significant  positive  step  toward  prioritizing  AIS  to  ensure  Y2K 
compliance  of  &e  systems  that  directly  support  patient  care  and  readiness. 
ASD(HA)  completed  the  categorization  process  August  31,  1998,  and  13  AIS  are 
now  considered  mission  critical. 

Biomedical  Devices.  Because  of  the  similarily  of  the  biomedical  devices  at  each 
MTF  and  to  facilitate  the  process  of  determining  Y2K  compliance  for  biomedical 
devices,  die  Military  Depmtments  established  a  tri-service  process  action  team. 
The  establishment  of  the  tri-service  process  action  team  has  greatly  facilitated  the 
process  for  determining  the  Y2K  status  of  the  biomedical  devices.  The  process 
action  team  also  exchanges  information  on  biomedical  devices  with  the 
Departments  of  Health  and  Human  Services  and  Veterans  Affairs.  The 
Department  of  Health  and  Human  Services  maintains  a  webpage  at 
http://www.fda.gOv/cdrh/yr2000/year2000.html.  Y2K  compliance  information  is 
subsequently  provided  to  individual  MTFs  for  appropriate  action,  such  as 
arranging  for  repair  or  replacement  of  biomedical  devices  that  are  not  Y2K 
compliant.  As  of  August  1 8,  1998,  the  tri-service  process  action  team  had 
received  responses  fi'om  95  percent  of  the  manufacturers  on  the  Y2K  compliance 
of  medical  products  determined  to  be  potential  Y2K  problems. 

Facility  Devices.  In  June  1998,  DoD  and  the  Department  of  Veterans  Affairs 
established  a  joint  medical  facility  devices  group  to  coordinate  the  Y2K 
compliance  of  facility  devices.  The  group  also  shares  Y2K  information  on  facility 
devices  with  the  General  Services  Administration  and  the  information  is  available 
at  webpage  (http://y2k.lmi.org/gsa/y2kproducts/search.htm).  The  establishment 
of  the  joint  mescal  facility  devices  group  to  share  and  coordinate  Y2K 
information,  was  a  significant  positive  action  toward  determining  the  Y2K 
compliance  of  facility  devices. 


Prompt  Reporting  of  Slippage  for  Completing  AIS  Renovation, 
Validation,  and  Implementation 


AIS  Program  Managers  were  aware  of  the  slippage  in  completion  dates,  but  the 
slippage  was  not  promptly  reported  to  the  ASD(HA)  Y2K  Project  Office. 

Reporting  Slippage  in  Completion  Dates.  As  discussed  previously,  significant 
slippage  has  occurred  in  the  dates  for  completing  the  AIS  renovation,  validation, 
and  implementation  phases.  ASD(HA)  maintains  an  internal  database  on  AIS 
completion  dates.  The  database  is  used  to  monitor  AIS  Y2K  status  and  to  prepare 
and  provide  quarterly  AIS  Y2K  status  reports  to  ASD(C3I)  and  0MB.  Y2K 
Project  Office  persoimel  believed  many  of  the  AIS  completion  dates  were 
unrealistic.  However,  the  office  relies  on  the  dates  provided  by  the  AIS  project 
managers.  AIS  project  managers  did  not  always  notify  the  Y2K  Project  Office 
when  estimated  completion  dates  for  the  Y2K  phases  changed.  We  selected  five 
mission-critical  AIS  and  compared  the  completion  dates  in  the  OASD(HA)  Y2K 
database  to  the  completion  dates  provided  by  AIS  project  managers.  Table  2 
shows  the  slippage  that  occurred  that  was  not  reported  to  the  ASD(HA)  Y2K 
Project  Office. 
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Table  2.  AIS  Completion  Dates 

(as  of  August  18,  1998) 


AIS  Renovation  Validation  Implementation 

Corporate  Executive 
Information  System 

Y2K  Project  Office  Aug.  30,  1998  Sept  30, 1998  Oct  30, 1998 

AIS  Program  Office  Oct  30,  1998  Dec.  15, 1998  Jan.  31, 1999 

Pathology  Information 
Management  System 

Y2K  Project  Office  Jul.  31,  1998  Jul.  31, 1998  Aug.  1, 1998 

AIS  Program  Office  Jul.  31,  1998  Aug.  31, 1998  Sept.  1, 1998 

Shipboard  Non-Tactical 
ADP  Program-Shipboard 
Automated  Medici 
System 

Y2K  Project  Office  Aug.  15,  1998  Sept  1,  1998  Dec.  31, 1998 

AIS  Program  Office  Aug.  15, 1998  Sept.  30, 1998  Dec.  31, 1998 

Uniform  Chart  of  Account 
Personnel  System 

Y2K  Project  Office  Sept  30, 1998  Sept  30,  1998  Nov.  30,  1998 

AIS  Program  Office  Sept  30, 1998  Nov.  25, 1998  Feb.  28,  1999 

Workload  Management 
System  For  Nursing 

Y2K  Project  Office  Sept  30,  1998  Sept  30, 1998  Nov.  30,  1998 

AIS  Program  Office  Sept  30,  1998  Oct  30, 1998  Feb.  28, 1999 

Importance  of  Accurate  Y2K  Status  Reporting.  Communication  between  the 
AIS  project  managers  and  the  ASD(HA)  Y2K  Project  Office  is  essential  for  the 
accmate  reporting  of  realistic  completion  dates  to  DoD  management.  When  the 
projected  completion  dates  slip  but  are  not  promptly  reported  up  the  chain  of 
command,  senior  management  in  DoD  and  0MB  may  not  be  aware  that  systems 
are  slipping  imtil  after  the  required  completion  dates  are  missed.  Without  such 
information,  management  may  not  be  focusing  attention  and  limited  Y2K 
resources  on  the  mission  critical  AISs  that  are  the  most  behind  and  critical  to 
patient  care. 

Preparing  AIS  Interface  Agreements 

ASD(HA)  had  not  completed  all  interface  agreements  and  the  completed  interface 
agreements  were  not  always  prepared  in  accordance  with  the  DoD  Management 
Plan. 

Definition  of  Interface.  The  DoD  Management  Plan  defines  an  interface  as  a 
boundary  across  which  two  systems  communicate.  An  interface  might  be  a 
hardware  connector  used  to  link  to  other  devices,  or  it  might  be  a  convention  used 
to  allow  communication  between  two  software  systems.  Interfaces  may  connect 
AIS  internal  to  tiie  Military  Health  System,  internal  to  DoD,  or  external  to  DoD. 


Status  of  the  DoD  Health  Care  Year  2000  Program 


Preparing  Interface  Agreements.  As  of  July  24,1998,  agreements  were  not 
completed  for  51  (25  percent)  of  the  204  interfaces  identified  for  the  65  mission- 
critical  AIS.  The  DoD  Management  Plan  required  that  the  renovation  phase  be 
completed  by  June  30,  1998,  and  all  interface  agreements  be  completed  by  the  end 
of  the  renovation  phase.  The  DoD  Management  Plan  also  provides  a  sample 
interface  agreement  and  the  minimum  information  that  the  agreements  must 
contain.  A  review  of  18  completed  AIS  interface  agreements  disclosed  that  only 
2  agreements  met  the  minimum  requirements.  The  remaining  interface 
agreements  were  deficient  in  one  or  more  of  the  following  areas. 

•  1 2  did  not  include  a  data  set  or  data  file  name  and  description  of  the 
interface; 

•  11  did  not  include  an  interface  strategy  for  both  sending  and  receiving 
systems  (for  example,  field  expansion,  procedural  code,  sliding 
window,  or  combination  of  these  strategies);  and 

•  2  did  not  show  milestone  dates  for  completing  analysis,  programming, 
testing,  joint  testing,  and  implementation  to  ensure  the  completion  of 
all  tasks  by  December  31, 1998. 

The  ASD(HA)  Y2K  Project  Officer  agreed  with  the  deficiencies  and  initiated  an 
interface  agreement  checklist  to  try  to  prevent  the  deficiencies  firom  continuing  to 
occur. 

Importance  of  Interface  Agreements.  Accurate  data  exchanges  are  critic^  to 
the  successful  operation  of  many  AIS.  AIS  interface  identification,  along  with 
properly  prepared  interface  agreements,  must  be  in  place  to  ensure  accurate  data 
exchanges.  Those  agreements  also  facilitate  the  preparation  of  the  plans  for  Y2K 
testing  required  in  the  Deputy  Secretary  of  Defense  August  24, 1998, 
memorandum.  In  view  of  the  deficiencies  in  this  area,  ASD(HA)  should  closely 
monitor  the  preparation  of  interface  agreements. 


Preparing  AIS  Contingency  Plans 


Contingency  plans  were  not  always  developed  for  mission-critical  AIS  that  were 
reported  as  being  2  or  more  months  behind  DoD  Y2K  time  frames.  In  addition, 
completed  contingency  plans  were  not  always  developed  in  accordance  with  DoD 
and  General  Accounting  OfiBce  contingency  planning  guidelines. 

Definition  of  Contingency  Plan.  The  General  Accounting  Office  defines 
contingency  plan  as  a  “plan  for  responding  to  the  loss  or  degradation  of  essential 
services  due  to  a  problem  in  an  automated  system.  In  generd,  a  contingency  plan 
describes  the  steps  to  take,  including  the  activation  of  manual  or  contract 
processes,  to  ensure  the  continuity  of  core  business  processes  in  the  event  of  a 
Y2K  induced  system  failure.”  The  DoD  Management  Plan  states  that  system 
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level  contingency  planning  is  the  primary  management  tool  to  prepare  for 
unanticipated  disruptions.  The  DoD  Management  Plan  recognizes  that  the  level 
of  detail  in  a  contingency  plan  will  depend  on  system  complexity  and  its  priority. 

OASD(HA)  Contingency  Plans.  The  DoD  Managenient  Plan  requires  die 
development  of  a  contingency  plan  for  any  mission-critical  AIS  that  is  2  or  more 
months  behind  the  Y2K  milestones.  The  July  1998  quarterly  report  to  ASD(C3I) 
showed  that  18  AIS  were  2  or  more  months  behind  the  DoD  required  dates  for 
completing  one  or  more  of  the  final  3  phases.  However,  contingency  plans  had 
been  developed  for  only  7  of  the  18  mission-critical  AIS.  In  addition,  a  review  of 
six  completed  contingency  plans  disclosed  that  only  two  were  prepared  in 
accordance  with  DoD  and  GAO  contingency  planning  guidelines.  Based  on  our 
review  of  DoD  and  GAO  guidance  we  concluded  that  AIS  contingency  plans 
should,  at  a  minimum: 

•  identify  hazards  or  risks  that  could  cause  system  failure  and  identify 
the  effects  of  the  failure, 

•  identify  ways  to  preserve  and  protect  system  data, 

•  identify  emergency  alternative  procedures  to  perform  during 
contingencies, 

•  define  triggers  to  activate  contingency  plans,  and 

•  establish  “  zero  day”  strategy  and  procedures. 

The  results  of  our  review  of  six  contingency  plans  to  determine  compliance  with 
the  above  criteria  are  shown  in  Table  3. 
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Table  3.  Compliance  with  Contingency  Plan  Criteria 


AIS 

Automated  Blood  Product 
Labeling  System 

Identify 

Risks 

Preserve 

Data 

Alternative 

Procedures 

Triggers 

Zero  Day 
Strateev 

Yes 

Yes 

Yes 

Yes 

Yes 

Bureau  of  Medicine 
Information  System 

No 

Yes 

Yes 

No 

No 

Composite  Health  Care 
System 

No 

Yes 

Yes 

No 

No 

Defense  Blood  Standard 
System 

Yes 

No 

No 

No 

No 

Medical  Expense  and 
Performance  Reporting 
System-Expense 
Assignment  System  III 

Yes 

No 

No 

No 

No 

Transportation  Command 
Regulating  and 
Command  and  Control 
Evacuation  System 

Yes 

Yes 

Yes 

Yes 

Yes 

Importance  of  Contingency  Planning.  The  DoD  Management  Plan  states  that 
even  systems  that  have  been  renovated  and  tested  could  fail,  and  the  failure  of  one 
system  could  disrupt  many  others.  For  example,  the  Composite  Health  Care 
System  interfaces  with  at  least  19  other  AIS.  The  DoD  Management  Plan  further 
states  that  system  level  contingency  planning  is  the  primary  management  tool  to 
prepare  for  unanticipated  disruptions.  Therefore,  contingency  planning  is  a 
critical  responsibility  of  DoD  Components 


Combining  Y2K  Fixes  With  AIS  Upgrades 


Major  mission-critical  AIS  were  not  meeting  the  lequired  DoD  and  0MB 
completion  dates  for  die  renovation,  validation,  and  implementation  phases,  in 
part,  because  Y2K  fixes  were  being  combined  with  system  functionality  upgrades. 

Strategy  for  Y2K  Fixes.  The  DoD  Year  2000  Management  Plan,  version  1 .0, 
stated  that  existing  resources  would  be  used  for  Y2K  compliance  efforts.  As  a 
result,  AIS  project  managers  adopted  a  cost-effective  strategy  of  combining  Y2K 
compliance  efforts  with  other  planned  system  upgrades.  We  reviewed  portions  of 
contract  tasking  documents  or  statements  of  work  for  upgrading  four  AIS 
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(Corporate  Executive  Information  System,  Composite  Health  Care  System, 
Military  Expense  and  Performance  Reporting  System-Expense  Assignment 
System  III,  and  Nutrition  Management  Information  System).  Each  of  the  AIS 
included  Y2K  compliance  efforts  as  a  task  or  subtask  in  conjunction  with  other 
planned  product  improvements.  However,  the  negotiated  timelines  for  system 
upgrades  did  not  ensure  that  the  various  phases  of  the  Y2K  effort  would  be 
completed  by  the  dates  required  in  the  DoD  Management  Plan.  For  example,  the 
program  managers  for  the  Corporate  Executive  Information  System  and  the 
Composite  Health  Care  System  estimate  completion  of  the  Y2K  implementation 
phase  to  be  January  31, 1999,  and  March  31, 1999,  respectively.  These  dates  are 
beyond  the  DoD  Management  Plan  requirement  of  December  31,  1998. 

According  to  the  ASD(HA)  Y2K  project  manager,  the  Composite  Health  Care 
System  is  considered  to  be  the  highest  priority  AIS. 

Importance  of  Separating  Y2K  Compliance  for  System  Upgrades.  Although 
the  strategy  of  including  Y2K  efforts  with  other  tasks  appears  to  be  cost-effective, 
we  believe  ASD(HA)  should  monitor  this  situation  closely,  particularly  for  the 
13  systems  recently  categorized  as  mission  critical.  The  ability  to  deliver  care 
could  be  significantly  degraded,  especially  where  contingency  plans  do  not  exist. 
Therefore,  if  fiirther  slippage  occurs,  ASD(HA)  should  consider  modifying 
contracts  to  separate  the  Y2K  fix  from  other  system  upgrades  and  increasing  the 
number  of  software  installation  teams. 


Incorporating  Y2K  Requirements  in  AIS  Contracts 

ASD(HA)  contracting  officers  did  not  require  that  AIS  hardware  and  software 
purchased  under  four  contracts  be  Y2K  compliant.  Delivery  orders  for  two  of  the 
contracts  contained  language  that  addressed  the  Y2K  issue;  however,  the  language 
did  not  provide  the  assurances  required  by  ASD(C3I)  guidance. 

Federal  Acquisition  Regulation  Definition  of  Y2K  Compliant.  The  Federal 
Acquisition  Regulation,  part  39.002  states: 

Year  2000  compliant,  as  used  in  this  part,  means,  with  respect  to 
information  technology,  that  the  information  technology  accmately 
processes  date/time  data  (including,  but  not  limited  to,  calculating, 
comparing,  and  sequencing)  from,  into,  and  between  the  twentieth  and 
twenty-first  centuries,  and  the  yerirs  1999  and  2000  and  leap  year 
calculations,  to  the  extent  that  other  information  technology,  used  in 
combination  with  the  information  technology  being  acquired,  properly 
exchanges  date/time  data  with  it. 

ASD(C3I)  Guidance.  ASD(C3I)  memorandum  “Acquisition  of  Year  2000(Y2K) 
Compliant  Information  Technology  (IT)  and  Bringing  Existing  IT  into 
Compliance,”  December  18, 1997,  provides  guidance  on  AIS  procurements.  The 
memorandum  states  that  orders  for  information  technology  shdl  not  be  placed 
against  a  contract  or  other  acquisition  instrument  unless  tiiat  contract  or 
instrument  requires  Y2K  compliance  or  the  order  itself  requires  Y2K  compliance. 
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AIS  Purchases.  Details  of  the  AIS  hardware  and  softw^e  purchases  that  were 
made  under  the  four  contracts  are  provided  in  the  following  paragraphs. 

Contracts  One  and  Two.  ASD(HA)  established  a  Support  Hardware  and 
Automation  Related  Products-Generic  (SHARP-G)  Program  to  purchase  AIS 
hardware  and  software.  The  SHARP-G  Program  was  for  1  year  (August  8,  1997, 
through  August  7, 1998)  and  offered  procurement  opportunities  under  three 
contracts  for  commercial  off-the-shelf  products.  None  of  the  contracts  under  the 
SHARP-G  program  required  products  to  be  Y2K  compliant.  A  total  of  seven 
delivery  orders  were  issued  firom  December  18, 1997,  through  the  expiration  of 
the  SHARP-G  program.  The  delivery  orders  were  placed  against  two  of  the  three 
contracts  and  the  delivery  orders  did  not  require  products  to  be  Y2K  compliant 
(see  Table  4). 

Table  4.  Delivery  Orders  That  Did  Not  Include  Required  ASD(C3I)  Y2K 

Language 


Contract  No.  Delivery  Order  Date  of  Order 


DASW01-97-D-0097 

DASW01-97-D-0095 

DASW01-97-D-0095 

DASW01-97-D-0095 

DASW01-97-D-0095 

DASW01-97-D-0095 

DASW01-97-D-0095 

Total 


0001 

Aug.  3, 1998 

0001 

Apr.  21, 1998 

0002 

Apr.  21, 1998 

0003 

Jun.  10, 1998 

0004 

Jun.  10, 1998 

0005 

Aug.  4, 1998 

0006 

Aug.  4, 1998 

Amount 
$  101,924 
81,552 
88,348 
10,239 
84,859 
50,527 
3,008,824 
$3,426,273 


Contracts  Three  and  Four.  On  March  17, 1995,  ASD(HA)  awarded  four 
contracts  for  AIS  services,  hardware,  and  software  under  the  Defense  Medical 
Information  System/Systems  Integration,  Design,  Development,  Operations  and 
Maintenance  Services  (D/SIDDOMS)  Program.  The  D/SIDDOMS  Program 
expires  March  31, 1999.  We  reviewed  two  of  the  four  contracts  (DAW01-95-D- 
0024  and  DAW01-95-D-0025)  that  were  used  significantly.  Because  neither  the 
D/SIDDOMS  solicitation  nor  the  two  contracts  contained  Y2K  language, 
ASD(HA)  attempted  to  put  the  Y2K  language  in  the  delivery  orders  under  the 
contracts.  We  reviewed  10  delivery  orders  under  contract  DAW01-95-D-0024 
and  9  delivery  orders  under  contract  DAW01-95-D-0025,  dated  firom 
December  18,  1997,  through  June  10, 1998,  for  Y2K  compliance.  The 
19  delivery  orders  totaled  over  $28  million  and  included  support  services, 
software,  and  hardware.  However,  we  could  not  determine  &e  exact  amount 
expended  for  services,  software,  or  hardware.  Of  the  19  delivery  orders,  3 
included  language  that  satisfied  ASD(C3I)  Y2K  contract  requirements.  The  other 
16  included  Y2K  language,  but  did  not  satisfy  ASD(C3I)  Y2K  contract 
requirements.  Instead,  the  delivery  orders  specifically  stated  that  the  prime 


13 


Status  of  the  DoD  Health  Care  Year  2000  Program 


contractor  did  not  warranty  the  Y2K  compliance  for  any  products  provided  by 
subcontractors  to  DoD  through  the  prime  contractor.  TTie  delivery  orders  stated, 
with  respect  to  the  requirements  for  year  2000; 

. . .  purchased  hardware  and  /or  software,  the  contractor  does  not  offer 
any  warranties.  The  contractor  will  pass  the  vendors’  and/or 
manufacturers’  standard  warranties/certifications  to  the  Government. 

With  respect  to  those  vendors  or  manufacturers  of  any  additional 
purchased  products,  which  do  not  provide  a  warranty  or  certification  of 
Year  2000  compliance,  the  contractor  will  identify  these  to  the 
Government  for  its  determination/decision  as  to  whether  these  products 
should  be  acquired  for  the  project. 


Further,  as  to  any  third-party  products  or  services  provided  by 
subcontractors  or  vendors  under  this  Delivery  Order,  the  contractor 
shall,  to  the  extent  normally  permitted  by  the  manufacturer,  pass 
through  and  assign  to  the  Government  all  of  manufacturer’s  standard 
warranties,  if  any,  including  warranties  regarding  Year  2000 
compliance,  but  the  contractor  shall  not  have  any  further  liability  or 
responsibility  with  respect  thereto.  The  contractor  provides  no  further 
warranty,  express  or  implied,  regarding  the  Year  2000  performance. 

Federal  Acquisition  Regulation,  subpart  9.601  states  that  a  contractor  team 
arrangement  develops  when  a  prime  contractor  agrees  with  one  or  more  other 
companies  to  have  Aem  act  as  its  subcontractors  under  a  specified  Government 
contract  or  acquisition  program.  Federal  Acquisition  Regulation,  subpart  9.604 
states  that  a  contractor  team  arrangement  does  not  limit  Ae  Government’s  right  to 
hold  die  prime  contractor  responsible  for  the  actions  of  the  subcontractor,  no 
matter  what  the  terms  are  of  the  team  arrangement. 

Importance  of  ASD(C3I)  Y2K  Contract  Requirements.  Without  including 
ASD(C3I)required  Y2K  contract  language,  ASD(HA)  had  no  assurance  that 
purchased  AIS  products  were  Y2K-compliant;  and  there  was  no  contractor 
obligation  to  fix  the  items  that  were  fovmd  to  ^  noncompliant.  Because  hardware 
and  software  from  the  contracts  reviewed  may  be  integrated  into  mission-critical 
applications,  the  full  risk  of  having  non-Y2K-compliant  AIS  hardware  and 
software  is  unknown.  Therefore,  ASD(HA)  should  determine  where  the  AIS 
products  purchased  under  the  7  SHARP-G  and  16  D/SIDDOMS  delivery  orders 
are  being  used  and  perform  the  appropriate  Y2K  testing  to  mitigate  risks. 
ASD(HA)  shotild  also  require  that  all  delivery  orders  for  AIS  vmder  the 
D/SIDDOMS  Program,  which  expires  March  31, 1999,  include  ASD(C3I)  Y2K 
requirements. 


Y2K  Testing  and  Contingency  Plans  for  Biomedical  Devices 

ASD(HA)  was  not  planning  tests  to  determine  the  Y2K  compliance  of  biomedical 
devices.  In  addition,  the  development  of  contingency  plans  for  biomedical 
devices  had  not  begun. 
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Strategy  for  Determining  Compliance.  ASD(HA)  was  relying  on  the 
manufacturers  statements  of  Y2K  compliance  for  biomedical  devices.  The  cover 
story  va.  Modern  Healthcare  magazine,  August  10,  1998,  discussed  the  perils  of 
the  failure  of  biomedical  devices  and  the  risks  of  relying  on  manufacturers’ 
compliance  statements.  The  article  warned  that  equipment  manufactmers 
frequently  change  Iheir  position  on  the  Y2K  compliance  status  of  their  products. 

The  DoD  Management  Plan  recognizes  that  devices  considered  Y2K  compliant 
might  fail;  therefore,  it  requires  that  contingency  plans  be  developed  as  a  backup. 
We  realize  that  contingency  plans  for  biomedical  devices  are  not  required  until 
December  31,  1998.  However,  we  saw  no  evidence  of  an  effort  to  develop 
contingency  plans  for  biomedical  devices. 

Importance  of  Testing  Biomedical  Devices.  As  discussed  earlier,  the  tri-service 
process  action  team  for  biomedical  devices  has  received  responses  from 
approximately  95  percent  of  the  biomedical  devices  manufacturers.  Because  this 
phase  of  the  compliance  process  is  nearing  completion,  ASD(HA)  should  perform 
sample  tests,  where  possible,  to  determine  the  validity  of  the  manufacturer’s 
responses  indicating  Y2K  compliance.  Testing  plans  and  results  should  be  shared 
with  other  Government  agencies  to  the  maximum  possible  extent. 


Emphasis  on  Medical  Facility  Compliance 

The  Military  Departments  did  not  complete  the  medical  facility  device  inventories 
by  March  31,  1998,  and  may  not  complete  the  implementation  phase  by 
December  31,  1998,  as  required  by  the  DoD  Management  Plan. 

Facility  Devices  Inventory  and  Assessment.  Recognizing  they  were  behind,  the 
Military  Departments  have  contracted  portions  of  the  inventory  and  assessment  of 
medical  facility  devices.  Details  conceminjg  each  Military  Department  in-house 
and  contractual  efforts  in  this  area  are  provided  below. 

Army.  The  Army  initially  performed  the  facility  devices  inventory  and 
assessment  with  in-house  personnel.  However,  the  Army  Medical  Command 
awarded  two  contracts  in  July  1998  to  ensure  the  accuracy  of  the  facility  devices 
inventory  and  assessments.  One  contract,  totaling  about  $15,000,  was  for  training 
MTF  personnel  on  facility  Y2K  issues.  The  other  contract  was  for  validating  the 
accuracy  of  the  inventories  and  assessments  performed  at  10  MTFs  with  a  total 
cost  of  $160,000.  On  August  14,  1998,  the  Army  Medical  Command  reported 
that  the  facility  devices  inventory  was  completed  at  all  38  Army  MTFs,  and 
assessments  were  completed  at  22  of  the  MTFs,  while  the  other  16  MTFs  were 
still  assessing  the  facility  devices.  The  assessments  at  the  22  MTFs  revealed  that 
36  critical  facility  devices  are  noncompliant.  The  estimated  cost  to  repair  12  of 
the  facility  devices  was  $1.4  million  and  the  remaining  24  critical  systems  either 
had  no  cost  to  repair,  or  the  MTF  was  still  determining  the  repair  cost. 

Air  Force.  The  Air  Force  performed  the  facility  devices  inventory  with  in- 
house  personnel.  According  to  the  Air  Force  Medical  Logistics  Office,  as  of 
August  21, 1998, 83  medical  sites  had  completed  their  facility  device  inventories. 
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The  sites  included  the  MTFs  and  the  medical  research  and  laboratory  facilities. 

The  Air  Force  method  for  performing  assessments  varies  by  site.  Some  medical 
sites  are  performing  assessments  wift  in-house  personnel  and  some  are  using 
contractors.  Additionally,  53  percent  of  the  Air  Force  medical  sites  had  reported  ^ 
Y2K  assessment  information  and  30  percent  of  those  sites  had  completed 
assessments.  As  of  August  21, 1998,  the  estimated  cost  to  repair  or  replace  the 
noncompliant  facility  devices  identified  was  $1.3  million. 

Navy.  The  Navy  was  the  last  of  the  Military  Departments  to  begin 
inventorying  and  assessing  facility  devices  for  Y2K  compliance.  The  Navy  used 
in-house  persoimel  to  perform  facility  devices  inventories  at  the  40  MTFs  raider 
the  Btaeau  of  Medicine  and  Surgery  Claimancy.  In  June  1998,  the  Bureau  of 
Medicine  and  Surgery  entered  into  a  contract,  at  an  approximate  cost  of 
$385,000,  to  assess  Ae  facility  devices  inventoried.  As  of  August  6, 1998,  all  the 
MTFs  had  reported  the  inventories  to  the  contractor,  and  the  contractor  was 
assessing  the  facility  devices. 

Importance  of  Determining  Y2K  Compliance  of  Facility  Devices.  To  ensure 
uninterrupted  health  care  and  readiness  support,  MTFs  need  to  determine  the  Y2K 
compliance  of  facility  devices.  Completion  of  the  facility  devices  inventory  and 
assessment  phases  is  required  to  determine  the  cost  of  repairing  or  replacing  non¬ 
compliant  devices.  In  addition,  like  biomedical  devices,  some  facility  devices  use 
embedded  microchips  and  MTFs  are  dependent  on  manufacturers’  responses  for 
determining  Y2K  compliance.  Slow  manufacturer  responses  could  further  delay 
the  assessment  of  facility  devices.  Even  with  the  establishment  of  the  joint 
medical  facility  devices  group  and  with  contract  support,  the  facility  devices  area 
is  unlikely  to  complete  the  implementation  phase  by  December  31,  1998,  as 
required  by  the  DoD  Management  Plan.  Therefore,  ASD(HA)  should  closely 
monitor  Y2K  compliance  of  facility  devices  and  issue  direction  to  the  Milit^ 
Department  Surgeons  General  requiring  MTF  conunanders  to  coordinate  wife 
installation  commanders  to  ensure  that  critical  medical  facility  devices  are  given 
the  appropriate  priority  in  the  Y2K  compliance  process. 


Management  Actions  During  the  Audit 

Throughout  the  audit  we  worked  closely  with  the  ASD(HA)  staff  responsible  for 
Y2K  compliance.  As  we  identified  Y2K  problems,  we  notified  ASD(HA)  staff 
members  and  they  initiated  actions  to  correct  the  problems.  Part  III  contains  a 
memorandum  from  the  Principal  Deputy  ASD(I^)  that  highlights  actions 
initiated  by  his  staff  during  the  audit.  Tliose  actions  included: 

•  updating  project  plans  and  using  a  project  management  tool  that  provides  all 
levels  of  management  with  current  schedule  performance  data; 

•  developing  a  quality  review  process  and  checklist  to  ensure  all  required 
interface  agreements  are  prepared; 

•  developing  a  contingency  and  continuity  of  operations  planning  guide; 
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•  reviewing  timelines  for  all  AIS,  including  those  with  combined  Y2K  fixes  and 
fimction^ty  upgrades,  to  ensure  compliance  with  DoD  mandated  completion 
dates;  and 

•  evaluating  components  of  all  AIS  for  Y2K  compliance,  including  systems 
without  a  Y2K  compliance  contract 

clause. 

We  commend  the  quick  response  to  the  issues  identified  and  plan  to  evaluate  the 
effectiveness  of  such  actions  during  the  next  phase  of  the  audit 


Recommendations  and  Management  Comments 

We  recommend  that  the  Assistant  Secretary  of  Defense  (Health  Affairs): 

1.  Establish  procedures  requiring  automated  information  system 
project  managers  to  promptly  report  slippages  in  automated  information 
system  completion  dates  to  the  Year  2000  Project  Office. 

Management  Comments.  The  Principal  Deputy  ASD(HA)  concurred,  stating 
that  procedures  were  established  to  ensure  AIS  project  managers  report  accmate 
schedule  information.  The  procedures  include  updating  and  entering  Y2K  project 
plans  into  an  enterprise-wide  project  management  tool  (Primavera  P3).  Actions 
were  t^en  to  provide  managers  at  all  levels  access  to  the  then  current  schedule 
performance  data.  The  Y2K  Project  Office  uses  the  data  to  prepare  all  required 
reports,  ensuring  that  reported  data  are  current  and  accurate. 

2.  Prepare  interface  agreements  for  automated  information  systems 
in  accordance  with  the  DoD  Year  2000  Management  Plan. 

Management  Comments.  The  Principal  Deputy  ASD(HA)  concurred,  stating 
that  as  of  September  23, 1998, 99  percent  of  required  interface  agreements  had 
been  completed.  In  addition,  a  quality  review  process  and  checklist  was  initiated 
and  incorporated  into  the  compliance  assurance  process.  All  agreements  were 
reviewed  and  required  corrective  actions  were  provided  to  the  AIS  program 
managers. 


3.  Prepare  contingency  plans  for  all  automated  information  systems 
that  are  2  or  more  months  behind  the  required  completion  dates,  in 
accordance  with  the  DoD  Year  2000  Management  Plan,  and  ensure  that  the 
contingency  plans  comply  with  DoD  and  the  General  Accounting  Office 
contingency  planning  guidelines. 

Management  Comments.  The  Principal  Deputy  ASD(HA)  concurred,  stating 
that  a  draft  version  of  a  contingency  planning  and  continuity  of  operations 
planning  guide  had  been  prepared  and  distributed.  Because  a  DoD  guide  for 
contingency  plans  has  not  been  developed,  OASD(HA)  will  provide  copies  of  the 
draft  guide  to  the  OASD(C3I)  and  other  agencies  for  their  use.  The  OASD(HA) 
Information  Management  Program  Review  Board  directed  that  contingency  plans 
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for  mission  critical  AIS  be  completed  by  October  1, 1998.  In  addition,  an 
independent  validation  of  contingency  plans  and  continuity  of  operations  plans 
was  incorporated  into  the  compliance  assurance  process. 

4.  Monitor  systems  in  which  year  2000  fixes  and  automated 
information  system  functionality  upgrades  have  been  combined,  and  take  the 
actions  necessaiy  to  ensure  that  slippage  does  not  occur  in  completing 

year  2000  compliance  in  mission-critical  systems. 

Management  Comments.  The  Principal  Deputy  ASD(HA)  concurred.  Actions 
were  initiated  to  accelerate  timelines  to  meet  DoD  mandated  completion  dates  for 
the  Composite  Health  Care  System,  and  reviews  were  initiated  to  ensure  that  all 
AIS  schedules  will  be  consistent  with  DoD  timelines. 

5.  Determine  where  the  automated  information  system  products 
purchased  under  the  Support  Hardware  and  Automation  Related  Products- 
Generic  Program  and  Defense  Medical  Information  System/Systems 
Integration,  Design,  Development,  Operations  and  Maintenance  Services 
Program  (contracts  DAW01-95-D-0024  and  DAW01-95-D-0025)  are  being 
used  with  mission  critical  systems  and  do  the  appropriate  year  2000  testing  to 
mitigate  risks. 

Management  Comments.  The  Principal  Deputy  ASD(HA)  concurred.  All 
components  (juirdware,  software,  and  operating  system  software)  of  Military 
Health  System  AIS  were  being  validated  for  Y2K  compliance.  All  components 
purchased  under  contracts,  widi  or  without  Y2K  clauses,  will  be  tested  as  part  of 
the  AIS  compliance  assurance  process. 

6.  Include  the  Assistant  Secretary  of  Defense  (Command,  Control, 
Communications,  and  Intelligence)  year  2000  requirements  in  all  delivery 
orders  for  automated  information  systems  under  the  Defense  Medical 
Information  System/Systems  Integration,  Design,  Development,  Operations 
and  Maintenance  Services  program. 

Management  Comments.  The  Principal  Deputy  ASD(HA)  concurred.  The 
Principal  Deputy  stated  that  although  the  D/SIDDOMS I  contract  was  awarded 
before  the  requirement  of  Y2K  compliance  contract  language,  it  will  be 
transitioned  to  the  recently  awarded  D/SIDDOMS  II  contract  by  March  1999. 

The  D/SIDDOMS  II  contract  meets  die  requirement  for  Y2K  specific  language. 
Until  Ae  transition  is  complete,  all  new  delivery  orders  awarded  under 
D/SIDDOMS  I  will  include  appropriate  Y2K  language. 

7.  Perform  sample  tests  for  year  2000  compliance,  where  possible,  of 
biomedical  devices  deemed  year  2000  compliant  by  the  manufacturer. 

Management  Comments.  The  Principal  Deputy  ASp(HA)  concurred. 

O  ASD(HA)  is  working  in  conjunction  with  the  American  Hospital  Association 
and  biomedical  equipment  manufacturers  to  outline  criteria  and  methods  to 
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evaluate  the  procedures  manufacturers  used  to  ensure  compliance.  A  consensus 
within  the  health  community  regarding  biomedical  equipment  testing  is  being 
resolved.  OASD(HA)  will  work  with  the  biomedical  equipment  manufacturers  to 
establish  procedures  for  validating  Y2K  compliance  of  critical  biomedical 
equipment. 

8.  Monitor  year  2000  compliance  of  facility  devices  and  issue 
direction  to  the  Military  Department  Surgeons  General  that  require  military 
treatment  facility  commanders  to  coordinate  with  installation  commanders 
to  ensure  that  critical  medical  facility  devices  are  given  the  appropriate 
priority  in  the  year  2000  compliance  process. 

Management  Comments.  The  Principal  Deputy  ASD(HA)  concurred,  stating 
that  the  Military  Services  Deputy  Surgeons  General  have  prepared  and  distributed 
Y2K  medical  facility  ^dance.  The  guidance  includes  a  requirement  to 
coordinate  medical  facility  issues  and  concerns  with  local  installation 
commanders  and  facilities  engineering  organizations  to  emphasize  the  priority  of 
resolving  medical  facility  Y2K  problems. 
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Part  II  -  Additional  Information 


Appendix  A.  Audit  Process 


This  is  one  in  a  series  of  reports  being  issued  by  the  Inspector  General,  DoD,  in 
accordance  with  an  informal  partnership  with  the  Chief  Information  Officer,  DoD, 
to  monitor  DoD  efforts  to  address  the  Y2K  computing  challenge.  For  a  listing  of 
audit  projects  adi-essing  this  issue,  see  the  Y2K  webpage  on  IGnet  at 
http://www.ignet.gov. 


Scope 

Work  Performed.  We  reviewed  the  progress  that  the  DoD  health  care 
community  has  made  in  resolving  Y2K  computing  issues  with  AIS,  biomedical 
devices,  and  facility  devices.  We  reviewed  AIS  contracts  and  delivery  orders 
dated  from  December  18,  1997,  through  August  31, 1998.  We  also  revievyed  and 
evaluated  the  inventory  and  reporting  procedures,  contingency  plans,  and  interface 
agreements,  for  AIS  dated  from  March  31, 1992,  through  July  28, 1998.  We 
interviewed  management  representatives  for  five  business  areas  who  are 
responsible  for  the  mission-critical  AIS  in  DoD  health  care. 

We  also  reviewed  and  evaluated  the  inventory  and  eissessment  procedures  for 
biomedical  devices  and  medical  facility  devices.  We  interviewed  management 
representatives  on  the  tri-service  process  action  team  who  are  responsible  for 
making  biomedical  devices  Y2K  compliant.  We  also  interviewed  medical  facility  • 
management  from  the  Army  Medical  Command,  the  Navy  Bureau  of  Medicine 
and  Surgery,  and  the  Air  Force  Medical  Logistics  Office  who  are  overseeing  the 
effort  to  make  medial  facility  devices  Y2K  compliant. 

We  compared  the  DoD  health  care  Y2K  efforts  to  those  prescribed  in  the 
June  1998  DoD  Management  Plan. 

Limitation  of  Audit  Scope.  Our  review  did  not  include  nonstandard  computer 
systems  or  applications  that  are  developed  outside  the  purview  of  the  Office  of  the 
ASD(HA),  such  as  systems  that  may  be  developed  locally  by  the  Militaty 
Departments.  We  did  not  test  Y2K  compliance  of  AIS,  biomedical  devices,  and 
facility  devices.  Our  review  was  limited  to  the  Y2K  management  process  in  those 
areas. 

DoD-Wide  Corporate  Level  Goals.  In  response  to  the  Government  Performance 
and  Results  Act,  DoD  has  established  6  DoD-wide  corporate-level  performance 
objectives  and  14  goals  for  meeting  the  objectives.  This  report  pertains  to 
achievement  of  the  following  objective  and  goal. 
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Objective:  Prepare  now  for  an  uncertain  future.  Goal:  Pxirsue  a  focused 
modernization  effort  that  maintains  U.S.  qualitative  superiority  m  key  war 
fighting  capabilities.  (DoD-3) 

DoD  Functional  Area  Reform  Goals.  Most  major  DoD  functional  areas  have 
also  established  performance  improvement  reform  objectives  and  goals.  This 
report  pertains  to  achievement  of  the  following  functional  area  objectives  and 
goals. 

•  Information  Technology  Management  Functional  Area. 

Objective:  Become  a  mission  partner.  Goal:  Serve  mission 
information  users  as  customers.  (ITM-1.2) 

•  Information  Technology  Management  Functional  Area. 

Objective:  Provide  services  that  satisfy  customer  information  needs. 
Goal:  Modernize  and  integrate  Defense  information  infrastructure. 
(ITM-2.2) 

•  Information  Technology  Management  Functional  Area. 

Objective:  Provide  services  that  satisfy  customer  information  needs. 
Goal:  Upgrade  technology  base.  (ITM-2.3) 

High-Risk  Area.  In  its  identification  of  risk  areas,  the  General  Accormting 
Office  has  specifically  designated  risk  in  resolution  of  the  Y2K  problem  as  high. 
This  report  provides  coverage  of  that  problem. 


Methodology 

Audit  Type,  Dates,  and  Standards.  We  performed  this  program  audit  from 
February  through  August  1998  in  accordance  with  auditing  standards  issued  by 
the  Comptroller  General  of  the  United  States,  as  implemented  by  the  Inspector 
General,  DoD.  We  determined  that  the  internal  AIS  database  maintained  by  the 
Y2K  project  office  did  not  always  reflect  accurate  completion  dates  for  the  DoD 
Management  Plan  phases.  We  did  not  use  any  other  computer-processed  data  for 
this  audit. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  DoD  and  the  Departments  of  Health  and  Human  Services 
and  Veterans  Affairs.  Further  details  are  available  on  request. 

Management  Control  Program.  We  did  not  review  the  management  control 
program  related  to  the  overall  audit  objective  because  DoD  recognized  the  Y2K 
issue  as  a  material  management  control  weakness  area  in  the  FY  1997  Annual 
Statement  of  Assurance. 
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Summary  of  Prior  Coverage 

The  General  Accounting  Office  and  the  Inspector  General,  DoD,  have  conducted 
multiple  reviews  related  to  Y2K  issues.  General  Accounting  Office  reports  can  be 
accessed  over  the  internet  at  http://www.gao.gov.  Inspector  General,  DoD, 
reports  can  be  accessed  over  the  internet  at  ht^://www.dodig.osd.mil. 
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Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  for  Acquisition  and  Technology 

Deputy  Under  Secretary  of  Defense  (Industrial  Affairs  and  Installations) 

Deputy  Under  Secretaty  of  Defense  (Logistics) 

Director,  Defense  Logistics  Studies  Information  Exchange 
Director  of  Defense  Procurement 
Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Under  Secretary  of  Defense  (Personnel  and  Readiness) 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 
Deputy  Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and 
Intelligence,  Surveillance,  Reconnaissance,  and  Space  Systems) 

Deputy  Chief  Information  Officer  and  Deputy  Assistant  Secretary  of  Defense  (Chief 
Information  Officer  Policy  and  Implementation) 

Principal  Deputy  -  Y2K 
Assistant  Secretary  of  Defense  (Health  Affairs) 

Assistant  Secretary  of  Defense  (Public  Affairs) 


Joint  Staff 

Director,  Joint  Staff 

Department  of  the  Army 

Auditor  General,  Department  of  the  Army 
Inspector  Generd,  Department  of  the  Army 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 

Auditor  General,  Department  of  the  Navy 

Inspector  Generd,  Department  of  the  Navy 

Superintendent,  Naval  Postgraduate  School 

Deputy  Naval  Inspector  General  for  Marine  Corps  Matters 
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Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 
Inspector  Generd,  Department  of  the  Air  Force 


Other  Defense  Organizations 

Director,  Defense  Contract  Audit  Agency 

Chief  Information  Officer,  Defense  Contract  Audit  Agency 
Director,  Defense  Information  Systems  Agency 

Inspector  General,  Defense  Information  Systems  Agency 
Chief  Information  Officer,  Defense  Information  Systems  Agency 
Director,  Defense  Logistics  Agency 
Director,  National  Security  Agency 

Inspector  General,  National  Security  Agency 
Inspector  General,  Defense  Intelligence  Agency 
Inspector  General,  Atlantic  Command 
Inspector  General,  European  Command 
Inspector  General,  Pacific  Command 


Non-Defense  Federal  Organizations  and  Individuals 

Office  of  Management  and  Budget 

Office  of  Information  and  Regulatoiy  Affairs 
National  Security  Division  Special  Projects  Branch 
General  Accounting  Office 

National  Security  and  International  Affairs  Division 
Technical  Information  Center 
Health,  Education,  and  Human  Services 

Director,  Defense  Information  and  Financial  Management  Systems,  Accounting  and 
Information  Management  Division 
Inspector  General,  Department  of  Health  and  Human  Services 
Inspector  General,  General  Services  Administration 
Inspector  General,  Department  of  Veterans  Affairs 
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Non-Defense  Federal  Organizations  and  Individuals  (cont’d) 

Chakman  and  ranking  minority  member  of  each  of  the  following  congressional 
committees  and  subcommittees: 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 

Senate  Committee  on  Armed  Services 

Senate  Committee  on  Governmental  Affairs 

Senate  Special  Committee  on  the  Year  2000  Problem 

House  Committee  on  Appropriations 

House  Subcommittee  on  National  Security,  Committee  on  Appropriations 
House  Committee  on  Government  Reform  and  Oversight 

House  Subcommittee  on  Government  Management,  Iirformation,  and  Technology, 
Committee  on  Government  Reform  and  Oversight 
House  Subcommittee  on  National  Security,  International  Affairs,  and  Criminal  Justice, 
Committee  on  Government  Reform  and  Oversight 
House  Committee  on  National  Security 
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Part  III  -  Management  Comments 


Principal  Deputy  Assistant  Secretary  of  Defense 
(Health  Affairs)Comments 


OFFICE  OF  THE  ASSISTANT  SECRETARY  OF  DEFENSE 
WASHINGTON,  DC  20301-1200 


HEALTH  AFFAJRS 


(jSBEC  HW 


MEMORANDUM  FOR  DEPUTY  INSPECTOR  GENERAL.  DEPARTMENT  OF  DEFENSE 

SUBJECT:  Audit  Report  on  Year  2000  Computing  Issues  Related  to  Health  Care  in  DoD 
(Project  no.  2LF-5013) 


Reference  is  made  to  the  Director,  Readiness  and  Logistics  Support  Directorate 
memorandum,  dated  20  October  1998,  subject  as  above.  The  DoD  Inspector  General  Draft 
Audit  Report  documents  the  results  of  a  Health  Care  Y2K  audit  conducted  by  the  DoD  IG.  We 
appreciate  your  staffs  cooperation  and  partnership  in  addressing  the  Y2K  issues. 

On  1  October  1998,  we  fonnally  submitted  a  response  to  your  Discussion  Draft  and  have 
aggressively  implemented  the  management  actions  indicated  in  Appendix  B  of  the  report, 
attachment  1.  We  continue  to  pursue  those  actions  vigorously  and  invite  your  team  to  revisit 
them  at  any  time.  Attachment  2  includes  additional  responses  to  the  draft  report  findings  for 
inclusion  in  the  final  report. 


Should  you  require  additional  information,  my  point  of  contact  is  Ms.  Clarissa  Reberkenny, 
Director,  Technology  Management,  Integration  and  Standards.  Ms.  Reberkenny  can  be  reached 
at  (703)  681-8823  or  by  e-mail  at  Clarissa.Reberkenny@tma.osd.mil. 


\Gary  A.  Christopherson 


Principal  Deputy  Assistant  Secretary 


Attachment? 
As  stated 
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Principal  Deputy  Assistant  Secretary  of  Defense  (Health  Affairs)  Comments 


HCMTH  AIVAIN* 


OFFICE  OF  THE  ASSISTANT  SECRETARY  OF  DEFENSE 
WASHINGTON,  DC  20301-1200 

OCT  1998 


SUBJECT:  Management  AdionsTakeiiCQDcnnent  to  inspector  General  Year 2000  Aih^ 


Hk  evolving  natum  of  Ym 2000  (Y2IQ  issoe  as  well  as  die  equally  dynamic  i^iptoaches 
to  address  die  issue  foster  an  en^ronment  of  joint  froblem  defimtum  and  problem  solving. 
The  DoITbispector  General  (lU)  bisensaon  Draft  doemnents  die  results  of  a  Ekaldi  Care  Y2K 
audit  conducted  by  the  DoD  IG.  This  audit  was  conducted  in  an  atmoq^iere  of  paitnetship  and 
co(q)eiation.  As  issues  surfaced  during  the  audit,  inunediate  actions  were  taken  to  implement 
policy  and  procedures  to  address  diose  issues.  Significant  10  findings  and  die  pr^ntOfiice  of 
the  Assistant  Secretary  of  Defense  (&a]di  Ailairs)  (OASD(HA))  actions  initiated  dunhg  die 
audit  ate  attached. 

I  recognize  the  professional  and  cooperative  qiproach  taken  by  members  of  the  IG  staff  and 
would  like  to  exfness  my  appreciadon  for  dieir  efforts  in  addressing  the  complex  and  pressing 
problem. 

Should  you  require  additional  information,  my  point  of  contact  is  Ms.  Clarissa  Rebericenny, 
Director,  Tedioology  Management,  Litegradon  and  Standards.  Ms.  Rdierkenny  can  be  reached 
at  (703)  6S1-S823  or  by  e-mail  at  CIarissaJRebericenny®tma.08(LnuL 


Piindpal  Dqwty  Assistant  Secretary 

Attachment 
As  stated 


Attachment  1 
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OASDfHA)  Responses  to  the  DoP  Inspector  General  Findings 


IG  Finding: 

Establish  procedures  requiring  Automated  Iflfonnation  System  (AIS)  project  managers  to 
promptly  report  slippages  in  AIS  completion  dates  to  the  year  2000  program  office. 

OASDfHA^  ResTX?nse: 

Procedures  were  put  into  place  to  ensure  AIS  project  managers  report  accurate  schedule 
information.  AIS  Y2K  project  plans  were  uptoed  and  entered  into  an  enterprise-wide  project 
management  tool  (Piimavera  P3).  Actions  were  taken  to  provide  managers  at  all  levels  access  to 
current  ^hedulc  performance  data.  The  Y2K  Project  Office  uses  this  data  to  prepare  all  required 
reports  ensuring  that  reported  data  is  current  and  accurate. 

IG  Finding: 

Prepare  contingency  plans  for  all  automated  information  systems  that  arc  two  or  more  months 
behind  the  required  completion  dates,  in  accordance  with  ihc  DoD  Year  2000  management  plan. 

QASD(HA^  Response: 

The  Office  of  the  Assistant  Secretary  of  Defense  (Health  Affairs)  (OASD(HA))  has  prepared  and 
distributed  the  draft  version  of  a  contingency  planning  and  continuity  of  operations  planning 
guide.  Since  a  DoD  guide  for  contingency  plans  has  not  been  developed,  OASD(HA)  will 
provide  copies  to  the  Office  of  the  Assistant  Secretary  of  Defense  (Command,  Control, 
Communications  and  Intelligence)  and  other  agencies  for  their  use.  The  OASD(HA) 

Information  Management  Program  Review  Board  directed  contingency  plans  for  mission  critical 
AISs  to  be  complete  by  1  October  98.  In  addition,  an  independent  validation  of  contingency 
plans  and  continuity  of  operations  plans  has  been  incorporated  into  our  compliance  assurance 
process. 

IG  Finding: 

Prepare  interface  agreements  for  AISs  in  accordance  with  the  DoD  Year  2000  management  plan. 
OASD(HA)  Response: 

As  of  23  September  1998, 99  percent  of  required  interface  agreements  have  been  completed.  A 
quality  review  process  and  checklist  was  initiated  and  incorporated  into  our  compliance 
assurance  process.  All  agreements  have  been  reviewed  and  corrective  actions  required  have 
been  provided  to  the  AIS  program  managers. 


Attachment 
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Principal  Deputy  Assistant  Secretary  of  Defense  YHealth  Affairs  Comments 


IG  Finding: 

Monitor  systems  in  which  year  2000  fixes  and  AIS  functionality  upgrades  have  been  combined, 
and  the  actions  necessary  to  ensure  that  slippage  does  not  occur  in  completing  year  2000 
compliance  in  mission  critical  systems. 

OASDfHA)  Response: 

Actions  were  initiated  to  accelerate  timelines  to  meet  DoD  mandated  completion  dates  for  our 
flagship  AIS,  the  Composite  Health  Care  System,  and  reviews  were  set  in  motion  to  ensure  all 
AIS  schedules  are  consistent  with  DoD  timelines,  regardless  of  the  complexity  of  the  software. 

IG  Hnding: 

Determine  where  the  AIS  products  purchased  under  the  SHARP-G  Program  and  D/SIDDOMS 
(contracts  DAW01-95-D-0024  and  DAW01--95-D-0025)  are  being  used  with  mission  critical 
systems  hnd  do  the  appropriate  Y2K  testing  to  mitigate  risks. 

OASDfHAl  Response: 

All  components  (hardware,  software,  and  operating  system  software)  of  MHS  AB’s  are  being 
validated  for  Y2K  compliance.  AH  components  purchased  under  contracts,  with  or  without  Y2K 
clause^,  will  be  tested  as  part  of  the  AIS  compliance  assurance  process. 

TG  Finding:  1; 

Perform  sample  tests  of  biomedical  devices  for  Y2K  compliance,  where  possible,  of  biomedical 
devices  deemed  Y2K  compliant  by  the  manufacturer. 

OASDfHAl  Response:  ' 

OASD(HA)  is  fully  committed  to  testing  biomedical  devices.  To  supplement  manufacturer's 
compliance  assurances,  selected  mission  critical  biomedical  deVices  will  be  tested  to  ensure  Y2K 
compliance. 

IG  Finding: 

Issue  direction  to  the  Military  Department  Surgeons  General  that  require  medical  treatment 
facDity  conunanders  to  coordinate  with  installation  commanders  to  ensure  that  critical  medical 
facility  devices  are  given  priority  in  the  Y2K  compliance  process. 

OASDIHAl  Restx>nse: 

The  Military  Services  Deputy  Surgeons  General  have  prepared  and  distributed  Y2K  medical 
facility  guidance.  This  guidance  includes  a  requirement  to  coordinate  medical  facility  issues  and 
concerns  with  local  installation  commanders  and  facility  engineering  organizations  to  emphasize 
the  priority  of  resolving  medical  facility  Y2K  problems. 


2  _  _  Attachment 
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Principal  Deputy  Assistant  Secretary  of  Defense  rHealth  Affairs)  Comments 


OASDfHA^  Responses  to  the 
DoD  Ipspector  General  Findings  and  Recommendations 


IG  Kndine: 

p<»rf>tiirtM»nHarinnR  and  Management  Actions.  Perform  sample  tests  for  year  2000  compliance, 
where  possible,  of  biomedical  devices  deemed  year  2000  compliant  by  the  manufacturer. 

OASOrHAl  Response:  concur 

OASD(HA)  is  working  in  conjunction  with  the  American  Hospital  Association  and  biomedical 
equipment  manufacturers  to  outline  criteria  and  methods  to  evaluate  the  manufacturers 
procedures  used  to  ensure  compliance.  A  consensus  within  the  health  community  regarding 
biomedical  equipment  testing  is  currently  being  resolved.  We  will  work  with  the  biomedical 
equipment  manufacturers  to  establish  procedures  for  validating  Y2K  compliance  of  critical 
biomedical  equipment. 

TG  Finding: 

Recommendadons  and  Management  Actions.  Riclude  the  Assistant  Secretary  of  Defense 

-  - - all 


(D/SIDDOMS)  program. 

OASDfHA't  Response:  concur 

The  D/SIDDOMS  I  contract  was  solicited,  negotiated,  and  awarded  prior  to  the  requirement  of 
Y2K  compliance  language  into  contracts.  The  contracts  will  be  transitioned  to  the  recently 
awarded  D/SIDDOMS  n  contract  by  March  1999.  The  D/SIDDOMS  n  contract  meets  the 
requirement  for  Y2K  specific  language.  Until  the  transition  is  complete,  all  new  Delivery  Orders 
awarded  under  D/SIDDOMS  I  will  include  Y2K  language. 


Attachment  Z 


(Command,  Control,  Commumcations,  and  Intelligence)  year  2000  (i2K.)  reqmrements  m 
delivery  orders  for  automated  information  systems  under  the  Defense  Medical  Liformation 
System/Systems  Integration,  Design,  Development,  Operations  and  Maintenance  Services 


34 


Audit  Team  Members 


Hie  Readiness  and  Logistics  Support  Directorate,  Office  of  the  Assistant 
Inspector  General  for  Auditing,  DoD,  produced  tliis  report. 

Shelton  R.  Young 
Raymond  D.  Kidd 
Michael  A.  Joseph 
Sanford  W.  Toniin 
I.  Eugene  Etheridge 
James  A.  O'Connell 
Robert  T.  Briggs 
G.  Paul  Johnson 


